Elisity supports simple API connectivity to Palo Alto Networks IoT Security as a method to enrich IT, IoT, IoMT and OT device discovery and identity. This allows data from Palo Alto Networks IoT Security to be pulled into IdentityGraph for use as Core Effective Attributes when creating policies, enhancing the precision and accuracy of device classification and Policy Group matching.
Prerequisites
- API Path (Provided by Palo Alto Networks)
-
Customer ID (Provided by Palo Alto Networks)
- Key ID (Generated in IoT Security)
- Access Key (Generated in IoT Security)
Steps to Connect Palo Alto Networks IoT Security
Palo Alto Networks API Instructions
Step 1. Create an API User in IoT Security by logging into Palo Alto Networks IoT Security and navigating to Preferences under your User Name. In the User Role & Access section find the API Access Key and next to it click Create.
A notification about the access key will be displayed, simply select Create again.
Another notification will pop up with details about the newly generated API Key information however the Access Key will be obfuscated for security reasons. Select Download to retrieve the Key ID and Access Key securely.
Step 2. Log into Elisity Cloud Control Center and navigate to Settings > Connectors and select + Add Connector button.
Step 3. A list of tiles will slide out from the right side of the screen. Select configure on the Palo Alto Networks IoT Security.
Step 4. Input the API Path, Customer ID, and the newly generated Key ID and Access Key and select Submit.
Step 5 (optional). Configure advanced settings for the Palo Alto Networks IoT Security connector.
The following chart provides details about each advanced setting
| Global Timer | The frequency at which Cloud Control Center queries Palo Alto Networks IoT Security for updates. From 1 to 168 hours. Default is 24 hours. |
| Initial Delay | The delay in seconds before Cloud Control Center initiates the first query to Palo Alto Networks IoT Security after initially discovering a new device. Default is 0 seconds |
| Query Exclusion Rules | Limit the scope of Cloud Control Center queries by specifying Subnets and Virtual Edge Nodes, and by enabling or disabling the querying of devices with Random MAC addresses. |
| Connector Data Purging | When the Connector Data Purging feature is enabled, Cloud Control Center will purge all data learned about the device from this connector if the device is no longer found when querying the connected application. The time period between purge events is configurable and can be set between 1 and 90 days. The connector status will change from "Up to Date" to "Stale" if the device is no longer known by the connector but prior to the purge event. |
| IP Only Based Lookup | This option enables fallback behavior to query by IP address when a query by MAC address does not return a result. |
5. If all of the required connector values are correct, all checks will pass and the connector will be created. After successful configuration, you should begin to see devices enriched by Palo Alto Networks IoT Security in IdentityGraph.
Connector Status
The Connector status reflects its health and availability based on recent query performance. To ensure accuracy and reduce false positives, the status is determined using a rolling 15-minute evaluation window.
Connector Status Levels:
- Active: Normal operation with minimal query failures.
- Degraded: Increased query failures detected, but the connector is still operational.
- Inactive: The connector is unresponsive due to persistent failures.
Failures are defined as unsuccessful query responses, and the platform continuously monitors performance to update the status accordingly. These status changes are visible in the UI, event logs, and notifications pane for better troubleshooting. Email alerts can also be configured for connector status changes.
If the connector has not been queried within the evaluation window, the last known status is retained. This approach ensures reliable status reporting and helps identify potential issues before they impact operations.
Leveraging Palo Alto Networks IoT Security with Elisity
When Elisity discovers a new asset on the network and the Palo Alto Networks IoT Security connector is active, Cloud Control Center queries the IoT Security platform via API for additional device attributes in order to enrich IdentityGraph. This enriched data is displayed in the IdentityGraph tab of the device and can be leveraged as Elisity Core Effective Attributes for Policy Group definition.
To learn more about how to leverage IdentityGraph Core Effective Attributes review the IdentityGraph article.
If a device discovered by Elisity is also known in Palo Alto Networks IoT Security, the Trust Attribute flag for "Known in Palo Alto IoT Security" will be set to Yes. You can then leverage this trust attribute as match criteria in Policy Group definition.
To learn more about how to leverage IdentityGraph Trust Attributes review the Leveraging Trust Attributes for Policy Group Definition article.